Davidashvili
Member
Doing it now
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CI\Config\VulnerableDriverBlocklistEnable > 0
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity\Enabled > 0
<Signer ID="ID_SIGNER_MIMIKATZ_KERNEL" Name="GlobalSign CodeSigning CA - G2">
<CertRoot Type="TBS" Value="589A7D4DF869395601BA7538A65AFAE8C4616385" />
<CertPublisher Value="Benjamin Delpy" />
</Signer>
<Signer ID="ID_SIGNER_MIMIKATZ_KERNEL_SHA2" Name="GlobalSign CodeSigning CA - G2">
<CertRoot Type="TBS" Value="F6CAE0B028995EB13B1C2CCE5B5107384AB7C77279AE5560933E345061D99CC0" />
<CertPublisher Value="Benjamin Delpy" />
</Signer>
<Signer ID="ID_SIGNER_MIMIKATZ_USER" Name="Certum Code Signing CA SHA2">
<CertRoot Type="TBS" Value="F7B6EEB3A567223000A61F68C53B458193557C17E5D512D2825BCB13E5FC9BE5" />
<CertPublisher Value="Open Source Developer, Benjamin Delpy" />
</Signer>
<DeniedSigner SignerId="ID_SIGNER_MIMIKATZ_KERNEL" />
<DeniedSigner SignerId="ID_SIGNER_MIMIKATZ_KERNEL_SHA2" />
<DeniedSigner SignerId="ID_SIGNER_MIMIKATZ_USER" />
@ https://github.com/winsiderss/systeminformer/issues/1142
Seems like HWiNFO, and CPU-Z for that matter, driver also got into vulnerable driver blocklist.
So I have tested this first, without results:
@ https://github.com/winsiderss/systeminformer/issues/1142#issuecomment-1148635917
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CI\Config\VulnerableDriverBlocklistEnable > 0
Then I also added this and HWiNFO was able to load again using both combinations:
@ https://github.com/winsiderss/systeminformer/issues/1142#issuecomment-1156480958
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity\Enabled > 0
View attachment 7895
The guys mentioned above resolved the issue renaming the driver, until next time MS block it again. :-D
Also found this blocklist: https://docs.microsoft.com/en-us/wi...trol/microsoft-recommended-driver-block-rules
I didn't find anything related to HWiNFO64A_171.SYS in that list, but the certificate used by HWiNFO, I don't know if this is related:
Code:<Signer ID="ID_SIGNER_MIMIKATZ_KERNEL" Name="GlobalSign CodeSigning CA - G2"> <CertRoot Type="TBS" Value="589A7D4DF869395601BA7538A65AFAE8C4616385" /> <CertPublisher Value="Benjamin Delpy" /> </Signer> <Signer ID="ID_SIGNER_MIMIKATZ_KERNEL_SHA2" Name="GlobalSign CodeSigning CA - G2"> <CertRoot Type="TBS" Value="F6CAE0B028995EB13B1C2CCE5B5107384AB7C77279AE5560933E345061D99CC0" /> <CertPublisher Value="Benjamin Delpy" /> </Signer> <Signer ID="ID_SIGNER_MIMIKATZ_USER" Name="Certum Code Signing CA SHA2"> <CertRoot Type="TBS" Value="F7B6EEB3A567223000A61F68C53B458193557C17E5D512D2825BCB13E5FC9BE5" /> <CertPublisher Value="Open Source Developer, Benjamin Delpy" /> </Signer> <DeniedSigner SignerId="ID_SIGNER_MIMIKATZ_KERNEL" /> <DeniedSigner SignerId="ID_SIGNER_MIMIKATZ_KERNEL_SHA2" /> <DeniedSigner SignerId="ID_SIGNER_MIMIKATZ_USER" />
Haha, it's funny but I was reading Windows 11 build 25145 annoncement this morning: https://blogs.windows.com/windows-i...ncing-windows-11-insider-preview-build-25145/
There is a list of known issues, and one of those is "Some games that use Easy Anti-Cheat may crash or cause your PC to bugcheck". Efter doing some research on Easy Anti-Cheat, I found that it also uses kernel drivers. So I guess they have similar situation.
Thanks for your great research!
I also did some research and getting a feeling that MS is now either explicitly or implicitly blocking certain 3rd party drivers.
The blocklist you found includes well known vendors - I can see AMD Ryzen Master driver, CPU-Z, Sandra a many others, but none of them is related to HWiNFO. I think that list wasn't yet updated for build 25145 yet, so we will see many more entries there soon...
It's an ugly thing to block so many drivers and entire software packages depending on them without any notifications or explanation why.
A service was installed in the system.
Service Name: HWiNFO64 Kernel Driver
Service File Name: C:\Users\hundr\Downloads\HWiNFO64A_171.SYS
Service Type: kernel mode driver
Service Start Type: demand start
Service Account: